[CI] Harden Defend Workflows VM provisioning#254354
Merged
patrykkopycinski merged 3 commits intoelastic:mainfrom Feb 23, 2026
Merged
[CI] Harden Defend Workflows VM provisioning#254354patrykkopycinski merged 3 commits intoelastic:mainfrom
patrykkopycinski merged 3 commits intoelastic:mainfrom
Conversation
- Bump diskSizeGb from 105 to 120 across all DW pipeline configs - Add pre-flight disk space check before vagrant up (fail fast <10GB) - Add vagrant up retry logic (2 attempts) with cleanup between retries - Replace apt-get install unzip with python3 zipfile wrapper (no network) - Harden Vagrantfile: mkdir -p, capture stdout/stderr for diagnostics
patrykkopycinski
added
release_note:skip
Contributor
Author
|
/ci |
Contributor
Author
|
/ci |
1 similar comment
Contributor
Author
|
/ci |
patrykkopycinski
force-pushed
the
harden-defend-workflows-ci
branch
from
dfe64ce to
bc41042
Compare
Contributor
Author
|
/ci |
patrykkopycinski
force-pushed
the
harden-defend-workflows-ci
branch
from
bc41042 to
2fbd209
Compare
Contributor
Author
|
/ci |
patrykkopycinski
added a commit
to patrykkopycinski/kibana
that referenced
this pull request
Feb 22, 2026
- Add ensure_virtualbox.sh: checks, recovers, or installs VirtualBox - Source ensure_virtualbox.sh in all 4 DW shell scripts - Set VAGRANT_DEFAULT_PROVIDER=virtualbox on CI - Add ensureVirtualBoxProvider() in vm_services.ts as defense-in-depth - Pre-flight disk space check before vagrant up - Vagrant up retry logic (2 attempts) with cleanup between retries - Replace apt-get install unzip with python3 zipfile wrapper (no network) - Proper TypeScript error type casts
Contributor
Author
|
/ci |
patrykkopycinski
force-pushed
the
harden-defend-workflows-ci
branch
from
eced2de to
00a9766
Compare
Contributor
Author
|
/ci |
patrykkopycinski
force-pushed
the
harden-defend-workflows-ci
branch
from
00a9766 to
a338326
Compare
Contributor
Author
|
/ci |
patrykkopycinski
changed the title
patrykkopycinski
changed the title
- Add ensure_virtualbox.sh: checks, recovers, or installs VirtualBox - Default VAGRANT_DEFAULT_PROVIDER=virtualbox on CI to skip auto-discovery - Add ensureVirtualBoxProvider() in vm_services.ts as defense-in-depth - Keep local runs unchanged (VMware auto-discovery preserved)
Contributor
Author
|
/ci |
patrykkopycinski
force-pushed
the
harden-defend-workflows-ci
branch
from
a338326 to
83a1856
Compare
patrykkopycinski
added a commit
to patrykkopycinski/kibana
that referenced
this pull request
Feb 23, 2026
- Improved ensure_virtualbox.sh: kernel module check, VBox 7.1 upgrade path, DKMS diagnostics - Vagrantfile: use simple apt-get install unzip (matching PR) - vm_services.ts: refined ensureVirtualBoxProvider with proper kernel module detection and VBox 7.1 upgrade fallback
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
|
mistic
reviewed
Feb 23, 2026
| } | ||
|
|
||
| _upgrade_to_vbox71() { | ||
| echo "Upgrading to VirtualBox 7.1 (supports newer kernels)..." |
Contributor
There was a problem hiding this comment.
is it better to make sure CI images ship with Virtual Box 7.1? Should we add a TODO / open a ticket for it?
Contributor
Author
There was a problem hiding this comment.
definitely having it on CI images is a better longterm solution, but I think it would make sense to keep it here as well, so we have a better logs if it starts failing again in the future
mistic
approved these changes
Feb 23, 2026
ashokaditya
approved these changes
Feb 23, 2026
Member
ashokaditya
left a comment
ashokaditya
left a comment
There was a problem hiding this comment.
Thanks for the changes!! I've a few suggestions but otherwise LGTM. 🚢 it!
| return; | ||
| } | ||
|
|
||
| const loadModules = async (): Promise<boolean> => { |
Member
There was a problem hiding this comment.
consider renaming this to isVirtualBoxLoaded or areModulesLoaded
| log?: ToolingLog; | ||
| } | ||
|
|
||
| const ensureVirtualBoxProvider = async (log: ToolingLog): Promise<void> => { |
Member
There was a problem hiding this comment.
Consider moving CreateVagrantVmOptions type close to thecreateVagrantHostVmClient function below.
| if (await upgradeToVbox71()) { | ||
| return; | ||
| } | ||
|
|
Member
There was a problem hiding this comment.
Should we log here that upgrade was successful?
Contributor
|
Starting backport for target branches: 8.19, 9.2, 9.3 https://github.com/elastic/kibana/actions/runs/22300406621 |
patrykkopycinski
added a commit
to patrykkopycinski/kibana
that referenced
this pull request
Feb 23, 2026
- Rename loadModules to tryLoadModules for clarity - Move CreateVagrantVmOptions interface next to createVagrantVm - Log success message after VirtualBox 7.1 upgrade
kibanamachine
added a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 23, 2026
## Summary Fixes Defend Workflows Cypress CI failures caused by VirtualBox kernel module not being loaded on CI agents. The CI image ships with VirtualBox 7.0.x, but recent GCP kernel updates (`6.17.0-1008-gcp`) break module compilation for that version. ### Changes **New: `ensure_virtualbox.sh`** — shared pre-flight script sourced by all Defend Workflows CI scripts. It: 1. Checks if `VBoxManage --version` reports a healthy state (not just exit code — parses output for "kernel module is not loaded" warning) 2. Attempts to load existing kernel modules (`modprobe vboxdrv`, `/sbin/vboxconfig`) 3. If module build fails (kernel too new for VirtualBox 7.0.x), upgrades to **VirtualBox 7.1** from Oracle's repo which supports newer kernels 4. Exports `VAGRANT_DEFAULT_PROVIDER=virtualbox` to skip Vagrant's provider auto-discovery 5. Prints full diagnostics on failure (packages, kernel version, DKMS status) **Updated: `vm_services.ts`** - `VAGRANT_DEFAULT_PROVIDER=virtualbox` set in vagrant env on CI (local dev keeps VMware auto-discovery) - Pre-flight disk space check **Updated: `Vagrantfile`** - Installs `unzip` via `apt-get` for provisioning ### Files changed - `.buildkite/scripts/steps/functional/ensure_virtualbox.sh` (new) - `.buildkite/scripts/steps/functional/defend_workflows*.sh` (4 files — source ensure_virtualbox.sh) - `x-pack/.../endpoint/common/vm_services.ts` - `x-pack/.../endpoint/common/vagrant/Vagrantfile` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 11333fb)
kibanamachine
added a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 23, 2026
## Summary Fixes Defend Workflows Cypress CI failures caused by VirtualBox kernel module not being loaded on CI agents. The CI image ships with VirtualBox 7.0.x, but recent GCP kernel updates (`6.17.0-1008-gcp`) break module compilation for that version. ### Changes **New: `ensure_virtualbox.sh`** — shared pre-flight script sourced by all Defend Workflows CI scripts. It: 1. Checks if `VBoxManage --version` reports a healthy state (not just exit code — parses output for "kernel module is not loaded" warning) 2. Attempts to load existing kernel modules (`modprobe vboxdrv`, `/sbin/vboxconfig`) 3. If module build fails (kernel too new for VirtualBox 7.0.x), upgrades to **VirtualBox 7.1** from Oracle's repo which supports newer kernels 4. Exports `VAGRANT_DEFAULT_PROVIDER=virtualbox` to skip Vagrant's provider auto-discovery 5. Prints full diagnostics on failure (packages, kernel version, DKMS status) **Updated: `vm_services.ts`** - `VAGRANT_DEFAULT_PROVIDER=virtualbox` set in vagrant env on CI (local dev keeps VMware auto-discovery) - Pre-flight disk space check **Updated: `Vagrantfile`** - Installs `unzip` via `apt-get` for provisioning ### Files changed - `.buildkite/scripts/steps/functional/ensure_virtualbox.sh` (new) - `.buildkite/scripts/steps/functional/defend_workflows*.sh` (4 files — source ensure_virtualbox.sh) - `x-pack/.../endpoint/common/vm_services.ts` - `x-pack/.../endpoint/common/vagrant/Vagrantfile` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 11333fb)
kibanamachine
added a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 23, 2026
## Summary Fixes Defend Workflows Cypress CI failures caused by VirtualBox kernel module not being loaded on CI agents. The CI image ships with VirtualBox 7.0.x, but recent GCP kernel updates (`6.17.0-1008-gcp`) break module compilation for that version. ### Changes **New: `ensure_virtualbox.sh`** — shared pre-flight script sourced by all Defend Workflows CI scripts. It: 1. Checks if `VBoxManage --version` reports a healthy state (not just exit code — parses output for "kernel module is not loaded" warning) 2. Attempts to load existing kernel modules (`modprobe vboxdrv`, `/sbin/vboxconfig`) 3. If module build fails (kernel too new for VirtualBox 7.0.x), upgrades to **VirtualBox 7.1** from Oracle's repo which supports newer kernels 4. Exports `VAGRANT_DEFAULT_PROVIDER=virtualbox` to skip Vagrant's provider auto-discovery 5. Prints full diagnostics on failure (packages, kernel version, DKMS status) **Updated: `vm_services.ts`** - `VAGRANT_DEFAULT_PROVIDER=virtualbox` set in vagrant env on CI (local dev keeps VMware auto-discovery) - Pre-flight disk space check **Updated: `Vagrantfile`** - Installs `unzip` via `apt-get` for provisioning ### Files changed - `.buildkite/scripts/steps/functional/ensure_virtualbox.sh` (new) - `.buildkite/scripts/steps/functional/defend_workflows*.sh` (4 files — source ensure_virtualbox.sh) - `x-pack/.../endpoint/common/vm_services.ts` - `x-pack/.../endpoint/common/vagrant/Vagrantfile` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 11333fb)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Feb 23, 2026
# Backport This will backport the following commits from `main` to `9.3`: - [[CI] Harden Defend Workflows VM provisioning (#254354)](#254354) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Patryk Kopyciński","email":"contact@patrykkopycinski.com"},"sourceCommit":{"committedDate":"2026-02-23T09:36:04Z","message":"[CI] Harden Defend Workflows VM provisioning (#254354)\n\n## Summary\n\nFixes Defend Workflows Cypress CI failures caused by VirtualBox kernel\nmodule not being loaded on CI agents. The CI image ships with VirtualBox\n7.0.x, but recent GCP kernel updates (`6.17.0-1008-gcp`) break module\ncompilation for that version.\n\n### Changes\n\n**New: `ensure_virtualbox.sh`** — shared pre-flight script sourced by\nall Defend Workflows CI scripts. It:\n1. Checks if `VBoxManage --version` reports a healthy state (not just\nexit code — parses output for \"kernel module is not loaded\" warning)\n2. Attempts to load existing kernel modules (`modprobe vboxdrv`,\n`/sbin/vboxconfig`)\n3. If module build fails (kernel too new for VirtualBox 7.0.x), upgrades\nto **VirtualBox 7.1** from Oracle's repo which supports newer kernels\n4. Exports `VAGRANT_DEFAULT_PROVIDER=virtualbox` to skip Vagrant's\nprovider auto-discovery\n5. Prints full diagnostics on failure (packages, kernel version, DKMS\nstatus)\n\n**Updated: `vm_services.ts`**\n- `VAGRANT_DEFAULT_PROVIDER=virtualbox` set in vagrant env on CI (local\ndev keeps VMware auto-discovery)\n- Pre-flight disk space check\n\n**Updated: `Vagrantfile`**\n- Installs `unzip` via `apt-get` for provisioning\n\n### Files changed\n- `.buildkite/scripts/steps/functional/ensure_virtualbox.sh` (new)\n- `.buildkite/scripts/steps/functional/defend_workflows*.sh` (4 files —\nsource ensure_virtualbox.sh)\n- `x-pack/.../endpoint/common/vm_services.ts`\n- `x-pack/.../endpoint/common/vagrant/Vagrantfile`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"11333fb52d6523a888326c1f2987e0f6ced060ee","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","ci:all-cypress-suites","backport:all-open","v9.4.0"],"title":"[CI] Harden Defend Workflows VM provisioning","number":254354,"url":"https://github.com/elastic/kibana/pull/254354","mergeCommit":{"message":"[CI] Harden Defend Workflows VM provisioning (#254354)\n\n## Summary\n\nFixes Defend Workflows Cypress CI failures caused by VirtualBox kernel\nmodule not being loaded on CI agents. The CI image ships with VirtualBox\n7.0.x, but recent GCP kernel updates (`6.17.0-1008-gcp`) break module\ncompilation for that version.\n\n### Changes\n\n**New: `ensure_virtualbox.sh`** — shared pre-flight script sourced by\nall Defend Workflows CI scripts. It:\n1. Checks if `VBoxManage --version` reports a healthy state (not just\nexit code — parses output for \"kernel module is not loaded\" warning)\n2. Attempts to load existing kernel modules (`modprobe vboxdrv`,\n`/sbin/vboxconfig`)\n3. If module build fails (kernel too new for VirtualBox 7.0.x), upgrades\nto **VirtualBox 7.1** from Oracle's repo which supports newer kernels\n4. Exports `VAGRANT_DEFAULT_PROVIDER=virtualbox` to skip Vagrant's\nprovider auto-discovery\n5. Prints full diagnostics on failure (packages, kernel version, DKMS\nstatus)\n\n**Updated: `vm_services.ts`**\n- `VAGRANT_DEFAULT_PROVIDER=virtualbox` set in vagrant env on CI (local\ndev keeps VMware auto-discovery)\n- Pre-flight disk space check\n\n**Updated: `Vagrantfile`**\n- Installs `unzip` via `apt-get` for provisioning\n\n### Files changed\n- `.buildkite/scripts/steps/functional/ensure_virtualbox.sh` (new)\n- `.buildkite/scripts/steps/functional/defend_workflows*.sh` (4 files —\nsource ensure_virtualbox.sh)\n- `x-pack/.../endpoint/common/vm_services.ts`\n- `x-pack/.../endpoint/common/vagrant/Vagrantfile`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"11333fb52d6523a888326c1f2987e0f6ced060ee"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/254354","number":254354,"mergeCommit":{"message":"[CI] Harden Defend Workflows VM provisioning (#254354)\n\n## Summary\n\nFixes Defend Workflows Cypress CI failures caused by VirtualBox kernel\nmodule not being loaded on CI agents. The CI image ships with VirtualBox\n7.0.x, but recent GCP kernel updates (`6.17.0-1008-gcp`) break module\ncompilation for that version.\n\n### Changes\n\n**New: `ensure_virtualbox.sh`** — shared pre-flight script sourced by\nall Defend Workflows CI scripts. It:\n1. Checks if `VBoxManage --version` reports a healthy state (not just\nexit code — parses output for \"kernel module is not loaded\" warning)\n2. Attempts to load existing kernel modules (`modprobe vboxdrv`,\n`/sbin/vboxconfig`)\n3. If module build fails (kernel too new for VirtualBox 7.0.x), upgrades\nto **VirtualBox 7.1** from Oracle's repo which supports newer kernels\n4. Exports `VAGRANT_DEFAULT_PROVIDER=virtualbox` to skip Vagrant's\nprovider auto-discovery\n5. Prints full diagnostics on failure (packages, kernel version, DKMS\nstatus)\n\n**Updated: `vm_services.ts`**\n- `VAGRANT_DEFAULT_PROVIDER=virtualbox` set in vagrant env on CI (local\ndev keeps VMware auto-discovery)\n- Pre-flight disk space check\n\n**Updated: `Vagrantfile`**\n- Installs `unzip` via `apt-get` for provisioning\n\n### Files changed\n- `.buildkite/scripts/steps/functional/ensure_virtualbox.sh` (new)\n- `.buildkite/scripts/steps/functional/defend_workflows*.sh` (4 files —\nsource ensure_virtualbox.sh)\n- `x-pack/.../endpoint/common/vm_services.ts`\n- `x-pack/.../endpoint/common/vagrant/Vagrantfile`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"11333fb52d6523a888326c1f2987e0f6ced060ee"}}]}] BACKPORT--> Co-authored-by: Patryk Kopyciński <contact@patrykkopycinski.com>
kibanamachine
added a commit
that referenced
this pull request
Feb 23, 2026
# Backport This will backport the following commits from `main` to `9.2`: - [[CI] Harden Defend Workflows VM provisioning (#254354)](#254354) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Patryk Kopyciński","email":"contact@patrykkopycinski.com"},"sourceCommit":{"committedDate":"2026-02-23T09:36:04Z","message":"[CI] Harden Defend Workflows VM provisioning (#254354)\n\n## Summary\n\nFixes Defend Workflows Cypress CI failures caused by VirtualBox kernel\nmodule not being loaded on CI agents. The CI image ships with VirtualBox\n7.0.x, but recent GCP kernel updates (`6.17.0-1008-gcp`) break module\ncompilation for that version.\n\n### Changes\n\n**New: `ensure_virtualbox.sh`** — shared pre-flight script sourced by\nall Defend Workflows CI scripts. It:\n1. Checks if `VBoxManage --version` reports a healthy state (not just\nexit code — parses output for \"kernel module is not loaded\" warning)\n2. Attempts to load existing kernel modules (`modprobe vboxdrv`,\n`/sbin/vboxconfig`)\n3. If module build fails (kernel too new for VirtualBox 7.0.x), upgrades\nto **VirtualBox 7.1** from Oracle's repo which supports newer kernels\n4. Exports `VAGRANT_DEFAULT_PROVIDER=virtualbox` to skip Vagrant's\nprovider auto-discovery\n5. Prints full diagnostics on failure (packages, kernel version, DKMS\nstatus)\n\n**Updated: `vm_services.ts`**\n- `VAGRANT_DEFAULT_PROVIDER=virtualbox` set in vagrant env on CI (local\ndev keeps VMware auto-discovery)\n- Pre-flight disk space check\n\n**Updated: `Vagrantfile`**\n- Installs `unzip` via `apt-get` for provisioning\n\n### Files changed\n- `.buildkite/scripts/steps/functional/ensure_virtualbox.sh` (new)\n- `.buildkite/scripts/steps/functional/defend_workflows*.sh` (4 files —\nsource ensure_virtualbox.sh)\n- `x-pack/.../endpoint/common/vm_services.ts`\n- `x-pack/.../endpoint/common/vagrant/Vagrantfile`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"11333fb52d6523a888326c1f2987e0f6ced060ee","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","ci:all-cypress-suites","backport:all-open","v9.4.0"],"title":"[CI] Harden Defend Workflows VM provisioning","number":254354,"url":"https://github.com/elastic/kibana/pull/254354","mergeCommit":{"message":"[CI] Harden Defend Workflows VM provisioning (#254354)\n\n## Summary\n\nFixes Defend Workflows Cypress CI failures caused by VirtualBox kernel\nmodule not being loaded on CI agents. The CI image ships with VirtualBox\n7.0.x, but recent GCP kernel updates (`6.17.0-1008-gcp`) break module\ncompilation for that version.\n\n### Changes\n\n**New: `ensure_virtualbox.sh`** — shared pre-flight script sourced by\nall Defend Workflows CI scripts. It:\n1. Checks if `VBoxManage --version` reports a healthy state (not just\nexit code — parses output for \"kernel module is not loaded\" warning)\n2. Attempts to load existing kernel modules (`modprobe vboxdrv`,\n`/sbin/vboxconfig`)\n3. If module build fails (kernel too new for VirtualBox 7.0.x), upgrades\nto **VirtualBox 7.1** from Oracle's repo which supports newer kernels\n4. Exports `VAGRANT_DEFAULT_PROVIDER=virtualbox` to skip Vagrant's\nprovider auto-discovery\n5. Prints full diagnostics on failure (packages, kernel version, DKMS\nstatus)\n\n**Updated: `vm_services.ts`**\n- `VAGRANT_DEFAULT_PROVIDER=virtualbox` set in vagrant env on CI (local\ndev keeps VMware auto-discovery)\n- Pre-flight disk space check\n\n**Updated: `Vagrantfile`**\n- Installs `unzip` via `apt-get` for provisioning\n\n### Files changed\n- `.buildkite/scripts/steps/functional/ensure_virtualbox.sh` (new)\n- `.buildkite/scripts/steps/functional/defend_workflows*.sh` (4 files —\nsource ensure_virtualbox.sh)\n- `x-pack/.../endpoint/common/vm_services.ts`\n- `x-pack/.../endpoint/common/vagrant/Vagrantfile`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"11333fb52d6523a888326c1f2987e0f6ced060ee"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/254354","number":254354,"mergeCommit":{"message":"[CI] Harden Defend Workflows VM provisioning (#254354)\n\n## Summary\n\nFixes Defend Workflows Cypress CI failures caused by VirtualBox kernel\nmodule not being loaded on CI agents. The CI image ships with VirtualBox\n7.0.x, but recent GCP kernel updates (`6.17.0-1008-gcp`) break module\ncompilation for that version.\n\n### Changes\n\n**New: `ensure_virtualbox.sh`** — shared pre-flight script sourced by\nall Defend Workflows CI scripts. It:\n1. Checks if `VBoxManage --version` reports a healthy state (not just\nexit code — parses output for \"kernel module is not loaded\" warning)\n2. Attempts to load existing kernel modules (`modprobe vboxdrv`,\n`/sbin/vboxconfig`)\n3. If module build fails (kernel too new for VirtualBox 7.0.x), upgrades\nto **VirtualBox 7.1** from Oracle's repo which supports newer kernels\n4. Exports `VAGRANT_DEFAULT_PROVIDER=virtualbox` to skip Vagrant's\nprovider auto-discovery\n5. Prints full diagnostics on failure (packages, kernel version, DKMS\nstatus)\n\n**Updated: `vm_services.ts`**\n- `VAGRANT_DEFAULT_PROVIDER=virtualbox` set in vagrant env on CI (local\ndev keeps VMware auto-discovery)\n- Pre-flight disk space check\n\n**Updated: `Vagrantfile`**\n- Installs `unzip` via `apt-get` for provisioning\n\n### Files changed\n- `.buildkite/scripts/steps/functional/ensure_virtualbox.sh` (new)\n- `.buildkite/scripts/steps/functional/defend_workflows*.sh` (4 files —\nsource ensure_virtualbox.sh)\n- `x-pack/.../endpoint/common/vm_services.ts`\n- `x-pack/.../endpoint/common/vagrant/Vagrantfile`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"11333fb52d6523a888326c1f2987e0f6ced060ee"}}]}] BACKPORT--> Co-authored-by: Patryk Kopyciński <contact@patrykkopycinski.com>
kibanamachine
added a commit
that referenced
this pull request
Feb 23, 2026
# Backport This will backport the following commits from `main` to `8.19`: - [[CI] Harden Defend Workflows VM provisioning (#254354)](#254354) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Patryk Kopyciński","email":"contact@patrykkopycinski.com"},"sourceCommit":{"committedDate":"2026-02-23T09:36:04Z","message":"[CI] Harden Defend Workflows VM provisioning (#254354)\n\n## Summary\n\nFixes Defend Workflows Cypress CI failures caused by VirtualBox kernel\nmodule not being loaded on CI agents. The CI image ships with VirtualBox\n7.0.x, but recent GCP kernel updates (`6.17.0-1008-gcp`) break module\ncompilation for that version.\n\n### Changes\n\n**New: `ensure_virtualbox.sh`** — shared pre-flight script sourced by\nall Defend Workflows CI scripts. It:\n1. Checks if `VBoxManage --version` reports a healthy state (not just\nexit code — parses output for \"kernel module is not loaded\" warning)\n2. Attempts to load existing kernel modules (`modprobe vboxdrv`,\n`/sbin/vboxconfig`)\n3. If module build fails (kernel too new for VirtualBox 7.0.x), upgrades\nto **VirtualBox 7.1** from Oracle's repo which supports newer kernels\n4. Exports `VAGRANT_DEFAULT_PROVIDER=virtualbox` to skip Vagrant's\nprovider auto-discovery\n5. Prints full diagnostics on failure (packages, kernel version, DKMS\nstatus)\n\n**Updated: `vm_services.ts`**\n- `VAGRANT_DEFAULT_PROVIDER=virtualbox` set in vagrant env on CI (local\ndev keeps VMware auto-discovery)\n- Pre-flight disk space check\n\n**Updated: `Vagrantfile`**\n- Installs `unzip` via `apt-get` for provisioning\n\n### Files changed\n- `.buildkite/scripts/steps/functional/ensure_virtualbox.sh` (new)\n- `.buildkite/scripts/steps/functional/defend_workflows*.sh` (4 files —\nsource ensure_virtualbox.sh)\n- `x-pack/.../endpoint/common/vm_services.ts`\n- `x-pack/.../endpoint/common/vagrant/Vagrantfile`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"11333fb52d6523a888326c1f2987e0f6ced060ee","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","ci:all-cypress-suites","backport:all-open","v9.4.0"],"title":"[CI] Harden Defend Workflows VM provisioning","number":254354,"url":"https://github.com/elastic/kibana/pull/254354","mergeCommit":{"message":"[CI] Harden Defend Workflows VM provisioning (#254354)\n\n## Summary\n\nFixes Defend Workflows Cypress CI failures caused by VirtualBox kernel\nmodule not being loaded on CI agents. The CI image ships with VirtualBox\n7.0.x, but recent GCP kernel updates (`6.17.0-1008-gcp`) break module\ncompilation for that version.\n\n### Changes\n\n**New: `ensure_virtualbox.sh`** — shared pre-flight script sourced by\nall Defend Workflows CI scripts. It:\n1. Checks if `VBoxManage --version` reports a healthy state (not just\nexit code — parses output for \"kernel module is not loaded\" warning)\n2. Attempts to load existing kernel modules (`modprobe vboxdrv`,\n`/sbin/vboxconfig`)\n3. If module build fails (kernel too new for VirtualBox 7.0.x), upgrades\nto **VirtualBox 7.1** from Oracle's repo which supports newer kernels\n4. Exports `VAGRANT_DEFAULT_PROVIDER=virtualbox` to skip Vagrant's\nprovider auto-discovery\n5. Prints full diagnostics on failure (packages, kernel version, DKMS\nstatus)\n\n**Updated: `vm_services.ts`**\n- `VAGRANT_DEFAULT_PROVIDER=virtualbox` set in vagrant env on CI (local\ndev keeps VMware auto-discovery)\n- Pre-flight disk space check\n\n**Updated: `Vagrantfile`**\n- Installs `unzip` via `apt-get` for provisioning\n\n### Files changed\n- `.buildkite/scripts/steps/functional/ensure_virtualbox.sh` (new)\n- `.buildkite/scripts/steps/functional/defend_workflows*.sh` (4 files —\nsource ensure_virtualbox.sh)\n- `x-pack/.../endpoint/common/vm_services.ts`\n- `x-pack/.../endpoint/common/vagrant/Vagrantfile`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"11333fb52d6523a888326c1f2987e0f6ced060ee"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/254354","number":254354,"mergeCommit":{"message":"[CI] Harden Defend Workflows VM provisioning (#254354)\n\n## Summary\n\nFixes Defend Workflows Cypress CI failures caused by VirtualBox kernel\nmodule not being loaded on CI agents. The CI image ships with VirtualBox\n7.0.x, but recent GCP kernel updates (`6.17.0-1008-gcp`) break module\ncompilation for that version.\n\n### Changes\n\n**New: `ensure_virtualbox.sh`** — shared pre-flight script sourced by\nall Defend Workflows CI scripts. It:\n1. Checks if `VBoxManage --version` reports a healthy state (not just\nexit code — parses output for \"kernel module is not loaded\" warning)\n2. Attempts to load existing kernel modules (`modprobe vboxdrv`,\n`/sbin/vboxconfig`)\n3. If module build fails (kernel too new for VirtualBox 7.0.x), upgrades\nto **VirtualBox 7.1** from Oracle's repo which supports newer kernels\n4. Exports `VAGRANT_DEFAULT_PROVIDER=virtualbox` to skip Vagrant's\nprovider auto-discovery\n5. Prints full diagnostics on failure (packages, kernel version, DKMS\nstatus)\n\n**Updated: `vm_services.ts`**\n- `VAGRANT_DEFAULT_PROVIDER=virtualbox` set in vagrant env on CI (local\ndev keeps VMware auto-discovery)\n- Pre-flight disk space check\n\n**Updated: `Vagrantfile`**\n- Installs `unzip` via `apt-get` for provisioning\n\n### Files changed\n- `.buildkite/scripts/steps/functional/ensure_virtualbox.sh` (new)\n- `.buildkite/scripts/steps/functional/defend_workflows*.sh` (4 files —\nsource ensure_virtualbox.sh)\n- `x-pack/.../endpoint/common/vm_services.ts`\n- `x-pack/.../endpoint/common/vagrant/Vagrantfile`\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"11333fb52d6523a888326c1f2987e0f6ced060ee"}}]}] BACKPORT--> Co-authored-by: Patryk Kopyciński <contact@patrykkopycinski.com>
patrykkopycinski
added a commit
to patrykkopycinski/kibana
that referenced
this pull request
Feb 25, 2026
…4354) Cherry-pick from patrykkopycinski/kibana#254354 (83a1856): - Add ensure_virtualbox.sh for VirtualBox kernel module recovery - Source ensure_virtualbox.sh in all 4 DW shell scripts - Set VAGRANT_DEFAULT_PROVIDER=virtualbox on CI - Add ensureVirtualBoxProvider() in vm_services.ts - Vagrant up retry logic with cleanup between attempts - Combine apt-get update+install in Vagrantfile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes Defend Workflows Cypress CI failures caused by VirtualBox kernel module not being loaded on CI agents. The CI image ships with VirtualBox 7.0.x, but recent GCP kernel updates (
6.17.0-1008-gcp) break module compilation for that version.Changes
New:
ensure_virtualbox.sh— shared pre-flight script sourced by all Defend Workflows CI scripts. It:VBoxManage --versionreports a healthy state (not just exit code — parses output for "kernel module is not loaded" warning)modprobe vboxdrv,/sbin/vboxconfig)VAGRANT_DEFAULT_PROVIDER=virtualboxto skip Vagrant's provider auto-discoveryUpdated:
vm_services.tsVAGRANT_DEFAULT_PROVIDER=virtualboxset in vagrant env on CI (local dev keeps VMware auto-discovery)Updated:
Vagrantfileunzipviaapt-getfor provisioningFiles changed
.buildkite/scripts/steps/functional/ensure_virtualbox.sh(new).buildkite/scripts/steps/functional/defend_workflows*.sh(4 files — source ensure_virtualbox.sh)x-pack/.../endpoint/common/vm_services.tsx-pack/.../endpoint/common/vagrant/Vagrantfile